Harden dependency management with Dependabot cooldowns, grouping, and hash-pinned Python requirements

[Copilot]

This PR tightens dependency management for the repository by hardening Dependabot behavior (cooldown + grouping) and making the release workflow's Python tooling install deterministic via hash-pinned requirements.

Changes Made

• .github/dependabot.yml: Added cooldown settings and groups GitHub Actions updates under a single wildcard group. Added a pip ecosystem entry so Dependabot tracks and proposes updates for the hash-pinned requirements.txt dependencies (weekly schedule, 3-day cooldown, grouped under python-deps).
• .github/workflows/release.yml: Switches release-version parsing dependency install to pip install -r requirements.txt --require-hashes for deterministic, hash-verified installs.
• requirements.txt: Adds a hash-pinned Python dependency lockfile for yq and its transitive dependencies, intended for deterministic installs in CI.

[Copilot]

Pull request overview

This PR tightens dependency management for the repository by hardening Dependabot behavior (cooldown + grouping) and making the release workflow’s Python tooling install deterministic via hash-pinned requirements.

Changes:

• Added Dependabot cooldown configuration per ecosystem and grouped GitHub Actions updates into a single wildcard group.
• Updated the release workflow to install yq (and its deps) from a hash-verified requirements.txt instead of ad-hoc pip install yq.
• Introduced a new hash-pinned requirements.txt lockfile for the workflow’s Python dependencies.

Show a summary per file

File	Description
requirements.txt	Adds a hash-pinned Python dependency lockfile intended for deterministic installs.
.github/workflows/release.yml	Switches release-version parsing dependency install to pip install -r requirements.txt --require-hashes.
.github/dependabot.yml	Adds cooldown settings and groups GitHub Actions updates under a single group.

Copilot's findings

• Files reviewed: 2/3 changed files
• Comments generated: 1

[felickz]

👍 🤖🟢- Tests Pass

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: The number of snapshots compared for the base SHA (0) and the head SHA (1) do not match. You may see unexpected additions in the diff.

Consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

requirements.txt

Package	Version	License	Issue Type
tomlkit	0.15.0	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/argcomplete	3.6.3	Unknown	Unknown
pip/pyyaml	6.0.3	Unknown	Unknown
pip/tomlkit	0.15.0	Unknown	Unknown
pip/xmltodict	1.0.4	Unknown	Unknown
pip/yq	3.4.3	🟢 3.1	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 no SAST tool detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches

Scanned Files

• requirements.txt